M365 Identity Unusual SSO Authentication Errors for User

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

M365 Identity Unusual SSO Authentication Errors for User

Identifies the first occurrence of SSO, SAML, or federated authentication errors for a user. These errors may indicate token manipulation, SAML assertion tampering, or OAuth phishing attempts. Modern adversaries often target SSO mechanisms through token theft, SAML response manipulation, or exploiting federated authentication weaknesses rather than traditional brute force attacks.

Rule type: new_terms

Rule indices:

logs-o365.audit-*
filebeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Identity
Data Source: Microsoft 365
Data Source: Microsoft 365 Audit Logs
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Initial Access
Resources: Investigation Guide

Version: 213

Rule authors:

Elastic
Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating M365 Identity Unusual SSO Authentication Errors for User

SSO, SAML, and federated authentication mechanisms are critical infrastructure for modern identity access. Adversaries increasingly target these systems through token manipulation, SAML response tampering, OAuth phishing, and exploitation of federated trust relationships rather than traditional credential brute forcing. This detection identifies when a user experiences SSO-related authentication errors that are unusual for their typical behavior, which may indicate an attacker attempting to abuse stolen tokens or manipulate authentication flows.

Possible investigation steps

Review the specific error code(s) in the o365.audit.ErrorNumber field to understand the nature of the authentication failure (e.g., token signature failure, SAML assertion tampering, cross-tenant token misuse). Reference Microsoft’s AADSTS error codes at https://login.microsoftonline.com/error?code=<ErrorNumber>; for detailed descriptions.
Examine the source IP address and geolocation of the authentication attempt - compare against the user’s typical login patterns.
Check for concurrent authentication activity from the same user - multiple SSO errors alongside successful logins may indicate token replay or session hijacking attempts.
Investigate recent OAuth application consent activity for this user - OAuth phishing campaigns often precede SSO manipulation attempts.
Review the target application or service principal being accessed during the failed authentication to identify potential attacker objectives.
Analyze the user’s recent mailbox activity, particularly for phishing emails with OAuth consent links or suspicious authentication requests.
Check for any recent changes to the user’s federation settings, registered devices, or authentication methods.
Correlate with Entra ID risky sign-in detections and risky user alerts for the same account.

False positive analysis

First-time SSO setup: Users configuring SSO access to a new federated application may encounter initial authentication errors. Validate whether the errors occurred during expected onboarding windows.
Federation service outages: Widespread SSO errors affecting multiple users simultaneously often indicate infrastructure issues rather than targeted attacks. Check for service health incidents in the same timeframe.
Certificate rotation: Federated authentication certificate renewals can temporarily cause signature validation errors. Verify if the errors align with planned certificate maintenance.
Legitimate cross-tenant access: Users with business relationships across multiple tenants may encounter cross-tenant policy errors during authorized access attempts.

Response and remediation

If token manipulation or SAML tampering is suspected, immediately revoke all active sessions and refresh tokens for the affected user.
Review and audit all OAuth application consents granted by the user - remove any suspicious or unrecognized applications.
Enable Conditional Access policies requiring compliant devices and MFA for SSO authentication if not already enforced.
If cross-tenant token misuse is detected, review and restrict external collaboration settings and cross-tenant access policies.
For SAML assertion or signature errors, validate the integrity of federation trust certificates and metadata.
Investigate whether the user’s credentials have been compromised - enforce password reset if credential theft is suspected.
Review Entra ID audit logs for unusual application registrations, service principal modifications, or federation setting changes.
Escalate to the security operations team if evidence suggests active token theft, SAML Golden Ticket techniques, or OAuth phishing campaigns.

Rule query

edit

event.dataset:o365.audit
    and event.provider:AzureActiveDirectory
    and event.category:authentication
    and o365.audit.ErrorNumber:(
        20001 or 20012 or 20033 or 40008 or 40009 or 40015 or
        50006 or 50008 or 50012 or 50013 or 50027 or 50048 or
        50099 or 50132 or 75005 or 75008 or 75011 or 75016 or
        81004 or 81009 or 81010 or 399284 or 500212 or 500213 or
        700005 or 5000819
    )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/

« M365 Identity OAuth Phishing via First-Party Microsoft Application M365 Identity User Account Lockouts »